08-25-2014 05:18 AM - edited 03-10-2019 09:58 PM
I'm trying to achieve the following for our employees, contractors and guest.
Guests and Contractors should be allowed to access the internet after successful auth on the ISE guest portal login page.
Employees should be allowed to register their devices after successful auth on the ISE portal login page and they should be allowed to access the internet once their device is registered. So they don't have to re-enter the credentials every 2 hours.
In ISE i've created a custom portal with mobile device portal and self-provisioning flow enabled. At the moment I don't have any client provisioning Policy configured and I've set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces.
I'm currently experiencing problems with clients and they describe their problem as portal loop. when they enter their credentials they are redirected to the portal once again. I did move around some of the rules and it currently looks like this. At the moment i'm working remote and not able to replicate the problem myself. Any advice would be welcome and much appreciated.
Is there any available documention about the builtin attributes in ISE. I'm especially interested in network use EQUALS guest flow.
12-04-2014 05:20 AM
Hi Patrick,
I'm facing similar problem as yours , but on wired . My contractor (I name it vendor) is redirect to guest portal , and when they login they were redirected to the portal again.
for the devices registration , I have set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces.
my authorization rules as follows :
1- rules name : Vendor-wired : identity : registerddevices AND identitygroup: VENDOR authorization profile: VENDOR-ACCESS
2- rules name : WIRED-CWA : identity : any condition: device-type:SWITCH authorization profile: CWA-PORTAL
It looks like , when vendor is login , they are not hitting the first rule , although the device shows up in the registered devices , and the vendor account is in VENDOR identity group (local in ISE) , so they come back again to rules 2 , which redirect them to the CWA-PORTAL again .
did you find any hint for this problem ?
12-04-2014 08:48 AM
Is this a distributed deployment? How many PSNs? Does the redurect URL point to a static IP?
What is the version and patch level for the ISE? WLC Code?
Best practice is not to set static IP in the redirect URL and let the PSN responding to RADIUS to automatically be the one to which subsequent CWA requests are sent. Otherwise, the other PSN will have no knowledge of the session and will loop as shown.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
12-04-2014 09:18 AM
Hi Charles
in my case , it is wired and it is two nose deployment not distributed .
ise 1.2.1 with last patch
url redirection is working fine , supplicants provisioning is ok , device registration is also fine .
But after the user login he is redirected again to the portal .. The device is shown under registred devices , but the autho rule 2 is not being hit after user login .. The strange thing is that when I try again , the device registration portal ask again to register .. Although the device is under registred devices ...
i have no clue what's going on.,
10-19-2015 02:23 AM
Hi, I had simmilar issues with my WLC. Finally I realized the ISE PSNs and WLC had a firewall between them.
So CoA through port 1700 from PSNs to WLC was closed. I had to open it for the CoA from PSNs to WLC could change the state of the connected client. And the loop finished.
I hope this helps.
12-04-2014 10:01 AM
Hi Patrick. It has been a while since I have done web based device provisioning but from what I remember, I had to create two individual web portals: 1 for standard guest access and 1 for the device provisioning. I had to do this because having the "provisioning flow" option enabled caused issues for standard guests that were not doing device onboarding.
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide